Internal NATed Addr Exposed to Red Hosts

cbrown · 29 April 2024 12:39

In my Suricata fast.log I see entries dropped where the source is an external red net host that seems to know the NATed address of my internal green host.
Curious as to how external hosts 151.139.55.67 and 151.139.71.28 could know my NATed internal host IP Address.

ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 151.139.71.28:80 -> 192.168.2.208:53091
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 151.139.71.67:80 -> 192.168.2.208:58298
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 151.139.71.67:80 -> 192.168.2.208:58299
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 151.139.55.67:80 -> 192.168.2.208:58923
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 151.139.55.67:80 -> 192.168.2.208:58934

bonnietwin · 29 April 2024 12:46

They don’t.

I suspect that you have set up a port forward for port 80 to 192.168.2.208 and IPFire is following that port forward instruction and suricata is flagging/dropping the traffic because it is failing a signature.

So IPFire and suricata know that 151.139.55.67:80 should be directed to 192.168.2.208

cbrown · 29 April 2024 12:47

Thanks for the reply. However, I have no port forwarding from anything on red0.

bonnietwin · 29 April 2024 12:51

Then the only thing I can think of is that the traffic is part of an established connection started by a client on your network and the response from the website has come back in and failed the suricata signature.

Again the website will only know of the connection from your external IP address and IPFire does the translation from external IP to internal IP for that traffic connection from its connection table.

cbrown · 29 April 2024 12:56

Hmm, WhoIs shows the externals belong to “StackPath, LLC.”
I’m not knowingly establishing a connection with them … but I suppose some webpage is probably talking there.

bonnietwin · 29 April 2024 13:09

If the traffic is not due to an existing connection and you have no port forwards then any traffic coming from outside would never get to suricata as it would be dropped immediately on getting to IPFire.

Could it be an advert link or do you have all adverts blocked in your browser.

Beyond that I can’t think of any other process where the traffic could get to suricata to be flagged.

cbrown · 29 April 2024 13:14

This must be residue from the gazillion connections that happen behind web browsing – even with tracking and ad-blocking plug-ins enabled

Seems to be a common occurrence related to Windows Update …
Windows Update related alerts

Verified getting a fresh “ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response” shortly after doing a Windows Check for Updates